You can configure instant clones to use the vSphere Virtual Machine Encryption feature so that instant-clone desktops have the same encryption keys.

Prerequisites

  • Verify that you are running vSphere 7.0 or later.
  • Create the Key Management Server (KMS) cluster with key management servers.
  • To create a trust between KMS and vCenter Server, accept the self-signed CA certificate or create a CA-signed certificate.
  • In vSphere Client, create the VMcrypt/VMEncryption storage profile.
Note: For details about the Virtual Machine Encryption feature in vSphere, see the vSphere Security document in the vSphere documentation portal.

Procedure

  1. To configure instant-clones that use the same encryption keys, use the vSphere Client to create a golden image VM with the vmencrypt storage policy.
    The vmencrypt storage policy applies only when the golden-image VM does not have any snapshots. The clone inherits the golden-image encryption state, including keys.
  2. Take snapshot of the golden-image VM with the vmencrypt storage policy applied.
  3. Create instant-clone desktops that point to the golden-image VM with the vmencrypt storage policy applied so that all desktops have the same encryption keys.
    Note: VM Encryption and Content Based Read Cache (CBRC) are not compatible. To use VM Encryption, you must turn off CBRC globally by turning off View Storage Accelerator in Horizon Console by navigating to Settings > Servers.